ACSC: FOCUSED ON CYBER SECURITY AND CRITICAL INFRASTRUCTURE

By Abigail Bradshaw CSC,

Head Australian Cyber Security Centre

What does your crisis response plan tell you to do if you couldn’t access your systems? Or, worse, if you lost control of your systems entirely and someone else started using them? Unfortunately, this is one of the chilling possibilities you must confront and prepare for in the defence industry. AN EVOLVING THREAT

Since the Australian Cyber Security Centre’s (ACSC) last contribution to this publication in 2019-20, the cyber threats to Australia have continued to evolve. This includes an increase in sophisticated ransomware attacks, online fraud incidents, business email compromises, and data breaches. And this is just from the cyber criminals. The defence industry and the businesses that support it are also prime targets for state-based actors who continue their drive to access our systems to build intelligence and steal intellectual property.

The ACSC’s latest Annual Cyber Threat Report shines a light on how cybercriminals and adversaries have taken advantage of the COVID-19 pandemic to target Australian households and businesses, including through persistent scams and destructive ransomware attacks.

The pace and scale of cybercrime and cyber incidents is truly astounding. The report shows the ACSC received a cybercrime report around every eight minutes, and Australian victims of cybercrime self-reported losses topping a massive $33bn in the 2020-21 financial year. That is real money coming out of the economy and your business. Cybercrime undermines our prosperity, national sovereignty and strategic vision for our region.

As the head of the ACSC, a key focus is the protection of critical infrastructure, the defence industry and the essential services all Australians rely on. This applies equally across the Defence

The ACSC’s latest Annual Cyber Threat Report shows the ACSC received a cybercrime report around every eight minutes, and Australian victims of cybercrime selfreported losses topping a massive $33bn in the 2020-21 financial year.

The Australian Cyber Security Centre operates 24/7 to help make Australia the most secure place to connect online. © ACSC 2021.

sector, including the small-to-medium enterprises that make up the defence supply chain. WHAT’S AT STAKE

You and your organisations hold petabytes of sensitive data relating to everything from boots to bombs, fighter jets to submarines. These assets are vital to the defence of the nation. The data behind them is highly valuable and of significant interest to cyber criminals. My message to you is cyber risks are real. You must plan for the inevitability of a cyberattack and how you will respond.

Cyber threats to the defence industry that compromise or threaten the essential functioning of Australia’s critical infrastructure are threats to our national security. When it comes to critical infrastructure, the potential impacts of an attack go beyond simply not being able to access files and do business - they could be catastrophic, even deadly. That is why the Security Legislation Amendment (Critical Infrastructure) Bill 2020, currently before Parliament, enhances protections and the preparedness of critical infrastructure assets.

The legislation is a significant step in protecting the vital infrastructure that delivers the goods and services we need and rely on. It has been designed to lift the cyber resilience of our critical infrastructure while facilitating the delivery of the capabilities we need. It also complements the Defence Industry Security Program, which sets out very important requirements to minimise security risks. This helps you protect the sensitive and classified information you hold.

At the ACSC, we are here to assist defence industry. We have a range tools in our arsenal to do this. The best thing you can do if you’ve been impacted by a cyber incident is to voluntarily report it to the ACSC at cyber.gov.au. I cannot reiterate enough how important it is to report cyber incidents early as it enables us to help you, and others. WORKING TOGETHER

Engaging with the ACSC as soon as possible allows us to share anonymised information with our partners that can potentially stop them falling victim to the same attacks. Of course, your confidentiality is as much a priority for us as it is for your business.

As I often say, cyber security is a team sport, and the best offence is a good defence. A simple way to strengthen your defences is to join the ACSC Partnership Program, which ensures you receive our latest advice and alerts. By becoming a partner, you can engage with the ACSC and fellow partners, receive tailored advice and technical expertise, and draw on collective understanding of the latest threats.

The ACSC website (cyber.gov.au) also has free step-by-step guides to prevent and respond to ransomware attacks, a Cyber Security Assessment Tool, and information on implementing our Essential Eight Maturity Model. We want defence industry to be secure, by applying strong technical and cyber security practices. Do not wait for a cyber incident before you decide to lift your cyber defences. The time to act is now.

The ACSC can be contacted 24/7 via asd.assist@defence.gov.au and 1300CYBER1. More information is available at cyber.gov.au

By Rachael Falk,

CEO Cyber Security Cooperative Research Centre

Almost every part of our lives is touched by the internet – it is central to the way we live, the way we work and, at a larger scale, the economic prosperity and national security of Australia. Consequently, cyber security is also pivotal to our way of life.

CROSS-SECTOR COLLABORATION Established in 2018, the Cyber Security Cooperative Research Centre (CSCRC) is dedicated to fostering the next generation of Australian cyber security talent, developing innovative projects to strengthen our nation’s security capabilities. We build effective collaborations between industry, government and researchers, creating real-world solutions for pressing cyber-related problems. We achieve this by identifying, funding and supporting research projects that build Australia’s cyber security capacity and address issues across the cyber spectrum, both technology and policy related. The CSCRC’s participants come from a diverse range of sectors from right across Australia, with our research headquarters located at Edith Cowan University’s Joondalup campus in Western Australia. At the helm is Research Director, Professor Helge

The CSCRC’s participants come from a diverse range of sectors from right across Australia, with our research headquarters located at Edith Janicke, one of the world’s most respected experts on critical infrastructure cyber security. Cowan University’s Joondalup Our researchers strive to produce evidence-based campus in Western Australia. solutions to critical cyber security problems, with realworld applications to help governments, businesses At the helm is Research and individuals. This is underpinned by collaboration Director, Professor Helge – the centre does not operate in a silo. Rather, we work with industry partners and universities to Janicke, one of the world’s produce research with academic rigour and tangible most respected experts on results. critical infrastructure cyber By engaging in relevant projects aimed at enhancing Australia’s sovereign capabilities, building security. our nation’s cyber capacity and helping to ensure policy and law keep pace with technology, the CSCRC is a key player in Australia’s cyber security ecosystem. The CSCRC also undertakes a key public role in cyber security advocacy, providing evidence-based commentary around relevant cyber security issues.

Cooperative Research Centres (CRCs) are collaborations between industry, government and academia. They offer a unique opportunity for participants to bridge the gap between research and real-world applications, creating material solutions for

By engaging in relevant projects aimed at enhancing Australia’s sovereign capabilities, building our nation’s cyber capacity and helping to ensure policy and sector-specific problems. CRCs drive innovation law keep pace with technology, and help build Australia’s the CSCRC is a key player in Australia’s cyber security capability and capacity for the future. The scheme was established in 1991 under ecosystem. the Hawke government and remains an integral driver of research innovation and collaboration in Australia. There are currently 24 active CRCs. In 2018 the CSCRC was awarded $50m in Commonwealth funding over seven years. This funding is supplemented by contributions from industry, university and government agency participants. RESEARCH DELIVERS SOLUTIONS

The CSCRC has two core research themes: Critical Infrastructure Security and Cyber Security Solution as a Service.

Critical Infrastructure Security is focused on protecting core systems vital for Australian businesses and governments to function efficiently and provide essential services. Through this theme the CSCRC delivers cyber security solutions that improve the security and reliability of Australia’s critical infrastructure, helping ensure Australia remains a safe and trusted place to do business.

The Cyber Security Solution is a service theme aimed at bolstering organisational cyber resilience via the delivery of rigorous and cost-effective solutions. The CSCRC delivers solutions that promote and enhance cyber resilience for large and small-tomedium enterprise so they can do business safely in a connected world.

In addition to these more ‘technical’ areas, the CSCRC also has a law and policy theme, which focuses keenly on the nexus between cyberspace and cyber security and its legal, policy and regulatory impacts. The objective of the theme is to develop and inform legal and public policy analysis and legislative guidance with respect to domestic and international cyber security challenges. Through this theme the CSCRC is enhancing the capacity of the Australian Government and industry to develop consistent, robust legal and regulatory approaches to strategy and policy across government, business and civil society.

The CSCRC welcomes engagement and collaboration with stakeholders and organisations from both the private and public sectors. Crosssector cooperation is our strength and a key pillar in bolstering Australia’s cyber security.

By Cecily Rawlinson,

DIRECTOR, WA AustCyber Innovation Hub

In 2020, the Australian Government issued a defence strategy update acknowledging national vulnerabilities stemming from a reliance on global supply chains. It called for greater security, including in sovereign industrial capability supporting Defence. The importance of being able to sufficiently meet our own needs has arguably never been more critical. There is no doubt cyber security sovereignty will shape our future security and resilience. Cyber security was a notable inclusion in the announcement of the AUKUS partnership, highlighting its importance domestically and with Australia’s allies, who have placed faith in its capabilities. This represents an opportunity for Defence, industry and related supply chains in Western Australia. Businesses of all sizes must be ready to demonstrate their cyber-resilience to key customers.

It is the role of the WA AustCyber Innovation Hub (WAACIH) to raise awareness of local and national cyber commercial capabilities and promotes job creation in the sector. There is an immediate opportunity for contractors and third-party providers to WA, and Australian defence contracts, to benefit from the Hub’s expertise and connections. Research has found SMEs are the most vulnerable to cyber security attacks and cybercrime. About one quarter of cyber incidents reported to the Australian Cyber Security Centre in the last 12 months were associated with Australia’s critical infrastructure or essential services. WA’s risk is heightened by the increasing use of, and connectivity to, systems like Operational Technology. This vulnerability leads to an increase in attacks on OT assets that impact critical infrastructure. Supply chains – particularly software and services – continue to be targeted by malicious actors to gain access to vendors’ customers. A significant cyber risk threat arises from the inability to control security measures adopted by supply chain partners. A global study found two-thirds of IT decision-makers say their organisations experienced a software supply chain attack. Virus insertion can arise at any stage in the supply chain. Supply chain management, at the hardware or software or communications level, must be a priority.

SMEs are the most vulnerable sector of Australian businesses to cyberattack. Supply chains are of strategic value to, and therefore targeted by, malicious actors. Current policy settings and legislation do not adequately address cyber risk in supply chains. Urgent action is needed to help SMEs and all businesses involved in the defence industry supply chain to protect themselves.

This is where WAACIH comes in. As the only neutral and impartial West Australian adviser on, and connector of, experts in the cyber risk and security landscape, AustCyber believes a strong domestic or sovereign cyber security industry can and should play a vital role in protecting the economy and industries. This will enable growth through informed uptake of trusted digital technologies. Having a national capability as a prominent and strategic part of the cyber security sector overall is fundamental to Australia’s interests.

There is no reason to consider Australian software suppliers fundamentally more exposed or riskier than overseas suppliers. From an ongoing supply chain and sovereignty perspective, local suppliers may be less risky - particularly in critical infrastructure and defence industry supply chains. The NSW government’s example of committing to a target of 30% of its total ICT spend on SMEs is a public policy example to be commended. It disrupts ‘business as usual’ and gives local Australian SMEs a chance to develop their customer and knowledge base, and human capital. It fosters local innovation in ICT and cyber security. Australian-owned businesses are also clear of external influences that might fetter the ADF’s access to supply during times of need. Through use of sovereign cyber security solutions, and by upskilling SMEs Australia can limit cyber risks in strategic industries. WAACIH offers expert advice on how best to mitigate, minimise and defend against these risks in an evolving landscape.

Cyber security sovereignty will shape our future security and resilience. The question is, will your business and supply chain be ready, and will you be able to demonstrate cyber resilience to key customers?